b'         Review of the Railroad Retirement Board\xe2\x80\x99s PIN/Password System\n                            for On-Line Authentication\n                       Report No. 03-09, September 8, 2003\n\n                                   INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of the\nRailroad Retirement Board\xe2\x80\x99s (RRB) decision to use the Personal Identification Number\n(PIN)/Password System to authenticate Internet transactions.\n\nBackground\n\nThe RRB\xe2\x80\x99s mission is to administer retirement/survivor and unemployment/sickness\ninsurance benefit programs for railroad workers and their families. During fiscal year\n(FY) 2002, the RRB paid approximately $8.7 billion in railroad retirement and survivor\nbenefits to about 684,000 beneficiaries. The RRB also paid unemployment and\nsickness insurance benefits of $105.8 million to some 41,000 claimants.\n\nExpanding electronic government, termed E-Government, is one of the five key\nelements of the President\xe2\x80\x99s Management Agenda. Initiated in July 2001, this effort is\ndesigned to make better use of information technology investments to eliminate billions\nof dollars of wasteful Federal spending, reduce the government\xe2\x80\x99s paperwork burden on\ncitizens, and improve government response time. One of the ways the Federal\ngovernment plans to accomplish these goals is by integrating technology investments\nacross agencies.\n\nThe Government Paperwork Elimination Act requires Federal agencies, by October 21,\n2003, to give customers the option of electronically doing business with the agency and\nto accept electronic signatures, when practicable. This Act specifically provides that\nelectronic records and their related electronic signatures are not to be denied legal\neffect, validity, or enforceability merely because they are in electronic form.\n\nIn light of this legislation, the agency plans to provide services to the public via the\nInternet. One of the issues facing the agency is how to protect the integrity and\nconfidentiality of electronic records and transactions. Different methods of verifying the\nidentity of the individual making the transaction offer varying levels of assurance for\nintegrity and confidentiality. Among these methods in ascending level of assurance\nare:\n\n   \xe2\x80\xa2   shared secrets methods (e.g. passwords),\n\n   \xe2\x80\xa2\t digitized signatures or biometric identifiers such as fingerprints, retinal patterns\n      and voice recognition, and\n\n   \xe2\x80\xa2   cryptographic digital signatures also known as Public Key Infrastructure (PKI).\n\x0cAny of these approaches may be appropriate for a given transaction depending on the\nbalance between the benefits from the electronic process and the risks of harm.\n\nIn November 2002, the RRB implemented a PIN/Password system to authenticate\nusers of the RRB\xe2\x80\x99s Internet services. The agency\xe2\x80\x99s Office of Programs is primarily\nresponsible for maintaining the system. The system presently allows current and former\nrailroad employees to conduct some business with the agency on-line.\n\nThe PIN/Password System is the gateway to access several completed or planned RRB\nInternet services.\n\n   \xe2\x80\xa2\t The Service and Compensation On-line component allows railroad employees\n      and annuitants to view their railroad service and compensation records via the\n      Internet.\n\n   \xe2\x80\xa2\t The Retirement Planner component, which should be available in the near future,\n      will provide annuity estimates on-line with direct links to an individual\xe2\x80\x99s service\n      and compensation records.\n\n   \xe2\x80\xa2\t The Internet Unemployment and Sickness Insurance system will enable railroad\n      employees to file unemployment applications and claims, as well as sickness\n      claims, on-line. The unemployment applications portion of the system should\n      also be available in the near future.\n\n   \xe2\x80\xa2\t Finally, the system that will allow individuals to apply for retirement annuities via\n      the Internet is in the early development stage.\n\nThe RRB\xe2\x80\x99s 2002-2005 Strategic Plan includes goals to provide excellent customer\nservice and to use technology to improve the way the agency does business. The\nInternet services are part of the agency\xe2\x80\x99s efforts to accomplish these goals.\n\nObjective, Scope and Methodology\n\nThe objective of this review was to assess the agency\xe2\x80\x99s decision process in choosing\nthe PIN/Password system for authentication of individuals using the agency\xe2\x80\x99s Internet\nservices. The scope of our review was primarily limited to evaluating the planning and\nanalysis performed by the RRB during fiscal year 2000 through the November 2002\nimplementation of the system.\n\nTo accomplish our objective, we reviewed applicable laws, regulations, and procedures;\nFederal guidance and agency practices; and agency planning documents. We also\ninterviewed responsible management and staff.\n\x0cThis audit was conducted in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at the RRB\nheadquarters in Chicago, Illinois from April 2003 through August 2003.\n\nRESULTS OF REVIEW\n\nOur review determined that the RRB\xe2\x80\x99s decision process was inadequate because the\nagency did not perform the necessary risk and cost benefit analysis before selecting an\nauthentication method.\n\nNothing came to our attention during this review to indicate that the RRB\xe2\x80\x99s\nPIN/Password system would not be an effective authentication method for the RRB\xe2\x80\x99s\nInternet services. However, we did not perform the analysis necessary to determine if\nthis system is the best authentication method based on costs and risks. It is RRB\nmanagement\xe2\x80\x99s responsibility to perform the analysis and make this determination. Also,\nwe did not test controls for the system during this review, and therefore, we have no\nassurance that these controls are working as intended and are effective. The OIG will\nperform an evaluation of controls once the RRB performs the required risk and cost\nanalysis.\n\nWe also noted that the RRB placed the PIN/Password system into production without\ndeveloping retention schedules for the Federal records obtained and/or produced by the\nsystem. As a result, the system administrators deleted some feedback messages\nsubmitted by users, even though the RRB had not requested the authority to destroy\nthese records. Based on our audit, the system administrators have stopped deleting\nthese records and have agreed to develop the necessary retention schedules.\nAccordingly, we make no recommendation in this area.\n\nDetailed findings and recommendations are discussed below.\n\nInsufficient Decision Process\n\nThe RRB did not adequately follow Federal guidance in its evaluation and selection of\nan authentication method for the agency\xe2\x80\x99s Internet services. The agency did not\nsufficiently document its consideration of risks and controls. Therefore, we have no\nevidence that the agency adequately performed the Federally recommended risk\nanalysis necessary to support the agency\xe2\x80\x99s decision to use the PIN/Password system.\nThe RRB also did not perform the recommended cost benefit analysis.\n\nThe only documentation prepared by the agency was a limited analysis of its proposed\nInternet services. In this analysis, the RRB created three levels of security for Internet\ntransactions. The highest level uses PKI. The next level uses data encryption and\nPIN/Password, and the lowest level uses only data encryption. The RRB then placed\neach of the proposed Internet services into one of the three security levels.\n\nThe RRB\xe2\x80\x99s documented analysis is insufficient because the agency:\n\x0c   \xe2\x80\xa2\t Provided no documentation for its determination of the appropriate security level\n      for each of the Internet services.\n\n   \xe2\x80\xa2\t Did not document the inherent risks or the controls mitigating the risks for any of\n      the proposed services.\n\n   \xe2\x80\xa2\t Did not assess or document the strengths and weaknesses of a PIN/Password\n      authentication system or other alternatives.\n\n   \xe2\x80\xa2\t Moved on-line Unemployment and Sickness applications and claims from the PKI\n      level of security to the lower PIN/Password level without any documented\n      reason.\n\n   \xe2\x80\xa2\t Reconsidered the use of PKI for benefit applications because of concerns about\n      PKI costs, frequency of RRB transactions, and implementation delays in the\n      federal PKI program, but provided no detailed data to support this argument.\n\nThe Office of Management and Budget (OMB) issued guidance to assist agencies in\nimplementing the Government Paperwork Elimination Act. The OMB guidance\nrecommends an assessment on the use and acceptance of electronic documents and\ntransactions including an evaluation of the suitability of electronic signature alternatives\nfor a particular application. The assessment should include both a risk analysis and a\ncost benefit analysis. In performing the risk analysis, agencies should consider the\nrelationship of the parties to the transaction, the value of the transaction, the risk of\nintrusion, and the future need for accessible and persuasive information regarding the\ntransaction. The risk analysis should use a combination of quantitative and qualitative\nmethods. The agency should document the decision on which combination of\ntechnologies, practices, and management controls minimize risk while maximizing\nbenefits.\n\nIn November 2000, the Department of Justice (DOJ) issued guidance entitled \xe2\x80\x9cLegal\nConsiderations in Designing and Implementing Electronic Process: A Guide for Federal\nAgencies.\xe2\x80\x9d The guidance recommends that, when deciding whether to convert paper\nprocesses to electronic ones, agencies should conduct an analysis of the transaction or\nprocess to determine the level of protection needed and level of acceptable risk.\n\nThe DOJ guidance also comments on the appropriateness of total conversion to a\npaperless process. Agencies should consider whether some paper documents should\ncontinue to be used. The guidance advises that sometimes \xe2\x80\x9cretaining a paper\ndocument might be the best, most certain, and easiest to prove medium for establishing\na legally significant transaction or event.\xe2\x80\x9d The Government Paperwork Elimination Act\ndoes not require the use of electronic processes if an agency concludes that such use is\nnot practicable for a particular transaction.\n\x0cThe National Institute of Standards and Technology has also provided guidelines for\nFederal agencies planning Internet services that require electronic authentication. The\nguidelines suggest a risk analysis similar to that recommended by OMB and DOJ.\n\nRRB management did not believe that a cost and risk analysis was necessary because\nthey believed the agency was following the efforts of other agencies. Several Federal\nagencies are using a PIN/Password system for some Internet transactions, but the OIG\ndid not identify any agencies that are using the PIN/Password system as an electronic\nsignature for benefit applications. For example, the Social Security Administration\n(SSA) offers on-line benefit applications, but the application must be printed and signed.\nFurthermore, SSA has suspended the expansion of its PIN/Password system pending\nthe completion of a more comprehensive E-Authentication strategy. The Department of\nVeterans Affairs also has an on-line application, but requires a printed and signed\nsignature page.\n\nRRB management also relied on an October 2001 legal opinion from the RRB\xe2\x80\x99s general\ncounsel who advised that there are no legal objections to using the PIN/Password\nsystem as an alternative to a signature. However, the legal opinion does not excuse the\nagency from a risk and cost analysis. The opinion referred to the November 2000 DOJ\ndocument that recommended performing a cost-based risk analysis to assess using\nelectronic methods instead of paper transactions.\n\nManagement also relied on discussions with the OIG during development of the\nPIN/Password system. The OIG reviewed and commented on portions of the system as\npart of the agency\xe2\x80\x99s process to obtain OMB\xe2\x80\x99s approval to obtain personal information\nthrough the PIN/Password system. However, we did not perform the analysis\nnecessary to determine if PIN/Password is the best authentication method based on\ncosts and risks.\n\nBecause the RRB did not adequately follow guidance in this area, the agency may not\nhave chosen the most cost-effective, risk-appropriate authentication method for each\nunderlying Internet service. Without the risk assessment, the agency has not fully\ndemonstrated that the PIN/Password system provides a sufficient level of authentication\nto meet the agency\xe2\x80\x99s litigation and administrative needs. In addition, the agency is at\nincreased risk of incurring unforeseen costs to manage and maintain the password\ndatabases because the costs have not been quantified and documented. Finally, the\nagency has not documented that the PIN/Password system will adequately protect the\nagency against unlawful disclosure of personal information.\n\nRecommendations\n\nThe Office of Programs should:\n\n   \xe2\x80\xa2\t perform and document a risk and cost benefit analysis for each of the railroad\n      employee and annuitant Internet services. The analyses should determine\n      whether PIN/Password is the most appropriate authentication method or if\n\x0c      another system of authentication (electronic or paper) should be used\n      (Recommendation #1).\n\n   \xe2\x80\xa2\t complete the risk and cost benefit analysis prior to implementing the on-line\n      unemployment, sickness and retirement benefit applications (Recommendation\n      #2).\n\nThe Bureau of Information Services should establish procedures that comply with\nFederal guidance on selecting and implementing authentication methods for on-line\nservices (Recommendation #3).\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with recommendation #1. They advised that they have\ncompleted the analysis for the proposed unemployment and sickness services and will\ncomplete the analysis for the currently operational Internet services by March 30, 2004.\nThe Office of Programs also concurs with recommendation #2. They will not implement\nany Internet benefit applications until after completion of the suggested analyses. A\ncomplete copy of their response, without attachments, is included in Attachment 1.\n\nThe Bureau of Information Services concurs with recommendation #3 and will update\nthe appropriate Information Technology Standards and Procedures by the end of fiscal\nyear 2005. A complete copy of their response is included in Attachment 2.\n\nRecent OMB Mandate on E-Authentication Interagency Compatibility\n\nOn July 3, 2003, OMB issued a memorandum to all Federal agency Chief Information\nOfficers stating that agencies should pursue a cross-agency approach for authentication\nand identity management. OMB advised that it is executing Federal-wide acquisitions\nof authentication technology, including PIN/Password, and is requesting agencies not to\nacquire authentication technology without prior consultation with the government-wide\nE-Authentication team.\n\nOMB also advised that it is consolidating agency investments in credentials and PKI\nservices. It will select shared service providers by December 31, 2003, with agency\nmigrations to those selected shared service providers occurring throughout FY 2004\nand 2005. In the memorandum, OMB advises: \xe2\x80\x9cThere will be no new funding in FY06\nfor authentication or identity management investments not related to the selected\nshared service providers\xe2\x80\xa6 Agencies should develop migrations plans to the shared\nservice with planning work beginning now and a final plan expected following the\nselection of the shared service providers.\xe2\x80\x9d\n\nRRB management has been monitoring the E-authentication initiative and has agreed to\nconsider this mandate in the analyses required in recommendation #1. The OIG will\nmonitor compliance with this mandate to ensure that compatibility and the potential\nfunding risks of non-compatibility are adequately reflected in the cost and risk analyses.\n\x0c\x0c\x0c'